-
Notifications
You must be signed in to change notification settings - Fork 0
/
sign.py
165 lines (150 loc) · 4.91 KB
/
sign.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
import sys
import os
import yara
import hashlib
import time
import sqlite3
import classPEfile
import windows.wintrust
import struct
import classifire
import csv
import pefile
import re
import subprocess
def YaraAnalyze(sample):
directory = os.path.dirname(os.path.abspath(__file__))
path = directory + '\\rules\\'
for sig in os.listdir(path):
#print(path + sig)
rules= yara.compile(filepath=path+sig)
matches = rules.match(data=sample)
for match in matches:
#print('DETECT SIGNATURE: ', str(match), match.tags)
return True
return False
def MLAnalyze(filename):
csvparse=open('datape.csv','wb')
writer = csv.writer(csvparse,delimiter=';')
PEHeader(filename,writer)
csvparse.close()
ret=classifire.Main()
return ret
def _isUPX(peFile):
pe = peFile
flag1 = False
for section in pe.sections:
#print(section.Name)
if re.search('UPX0', section.Name):
flag = True
elif re.search('UPX1', section.Name) and flag:
return True
return False
def PackAnalyze(pePath):
directory = os.path.dirname(os.path.abspath(__file__))
pe = pefile.PE(pePath)
if not _isUPX(pe):
return False
upx = os.path.join(directory, 'upx391w')
upx = os.path.join(upx, "upx.exe")
pe.close()
#os.system(upx + " -d " + pePath)
subprocess.check_output(upx + " -d " + pePath, shell=True)
return True
'''
directory = os.path.dirname(os.path.abspath(__file__))
path = directory + '\\pack\\'
for sig in os.listdir(path):
#print(path + sig)
rules= yara.compile(filepath=path+sig)
matches = rules.match(data=sample)
for match in matches:
print('DETECT PACK: ', str(match),match.tags)
'''
def CalcHash(sample):
md5=hashlib.md5(sample).hexdigest()
sha1=hashlib.sha1(sample).hexdigest()
sha256=hashlib.sha256(sample).hexdigest()
size=(len(sample) / 1024)
return str(md5), str(sha1), str(sha256), size
def ReadFile(exe):
f = open(exe,'rb+')
binary = f.read()
f.close()
return binary
def PEHeader(fn,writer):
t = classPEfile.pefile(fn)
if not t.isPEfile:
return
row=[]
row.extend(t.printMSDOSHeader())
row.extend(t.printPEHeader())
row.extend(t.printPEOptHeader())
t.readExportSymbols()
t.readImportSymbols()
row.extend(t.getImportedFunctions())#count dlls, import
row.extend(t.getExportedFunctions())#count dlls,export
try:
row.extend([int(windows.wintrust.is_signed(fn))])#check sign
except:
row.extend([0])
writer.writerow(row)
return
def Main(filename):
#open database
conndb = sqlite3.connect('./staticlog.db')
cursor = conndb.cursor()
#read file
sample=ReadFile(filename)
#calc hash
md5, sha1, sha256, size=CalcHash(sample)
#print (md5)
cursor.execute('SELECT detect_sign, detect_ML FROM check_log WHERE md5 = ? and sha1 = ? and sha256 = ? and size = ?', (md5,sha1, sha256, size,))
res = cursor.fetchone()
if res == None:
if PackAnalyze(filename)==True:
sample=ReadFile(filename)
#print("unpack")
#Chech Sign
try:
res=YaraAnalyze(sample)
if res == True:
task = (str(md5), str(sha1), str(sha256), int(size),bool(res))
sql = '''INSERT INTO check_log ( md5, sha1, sha256, size, detect_sign) VALUES (?,?,?,?,?)'''
cursor.execute(sql,task)
#print("static")
conndb.commit()
conndb.close()
return True
#Check ML
else:
ret=MLAnalyze(filename)
task = (str(md5), str(sha1), str(sha256), int(size),bool(res),bool(ret))
sql = '''INSERT INTO check_log ( md5, sha1, sha256, size, detect_sign, detect_ML) VALUES (?,?,?,?,?,?)'''
cursor.execute(sql,task)
#print("ml")
conndb.commit()
conndb.close()
return bool(ret)
except:
ret=MLAnalyze(filename)
task = (str(md5), str(sha1), str(sha256), int(size),bool(res),bool(ret))
sql = '''INSERT INTO check_log ( md5, sha1, sha256, size, detect_sign, detect_ML) VALUES (?,?,?,?,?,?)'''
cursor.execute(sql,task)
#print("ml")
conndb.commit()
conndb.close()
return bool(ret)
#output if file analyze
else:
#print("als")
conndb.commit()
conndb.close()
for detect in res:
if detect == True:
return True
return False
if __name__ == '__main__':
filename=str(sys.argv[1])
ret=Main(filename)
print(ret)